Blog

The PRISM scandal, a not to be missed opportunity for the Council of Europe

Datum objave
13.6.13 22:00

The PRISM scandal is touching on a lot of sensitive and complex topics, from privacy to international politics and critical infrastructure, but there is at least one thing which is clear: the situation is totally confused.

Not only we don’t know what actually happened, but even the Washington Post which broke the news has significantly adjusted its initial article, as spotted by Zdnet in its article “The real story in the NSA scandal is the collapse of journalism”. While it is a fact that the Washington Post does not pretend anymore that the technology companies “participated knowingly in PRISM operations”, we have no indication why the newspaper changed its article in a favorable way for these companies.

Interviewed two days ago by the French news site Atlantico on what is behind PRISM (you can read it here), I thought that actually the questions and my answers could be relevant for the Octopus community.

The first question was about what happened in practice.

On June 11, it was impossible to understand what actually happened in the PRISM program, and as of today we still don’t know. It is nevertheless useful to put this issue of direct access to data by the NSA in perspective with the daily reality of the companies allegedly involved.

We shall keep in mind that in all companies – whether they are US, European or whatever - the teams in charge of handling legal requests from police forces and intelligence units are cost centers. In some countries ISPs can charge law enforcement, but this is an exception, not the rule. So these teams don’t generate any money, they only damage the bottom line. Therefore, the visceral reaction of any business is to minimize the volume of response to legal requests. This being understood, an initiative like PRISM is basically perceived by companies as a threat to their freedom of action and good management of their infrastructure.

Among the companies involved, namely AOL, Apple, Facebook, Google (and YouTube), Microsoft (and Skype), Paltank and Yahoo!, none has ever been owned by the U.S. government. At most, some have better connections with the White House than others. Therefore, imposing PRISM on these companies would require U.S. authorities to use an absolute coercive power, which is not proved yet, or to overcome the issue of the cost by providing money in addition to the political/legal pressure. The amount of money necessary for an effective implementation of PRISM by all the tech companies can be estimated to be in the hundreds of millions of dollars. This is not small money, even for the USA, and even if we ignore the “fiscal cliff”.

Finally, let us remember the FBI's Carnivore program, which in the early 2000s created as much anxiety as PRISM, but proved ultimately to be ineffective in processing the massive flow of information circulating on the Internet.

“It's important to recognize that you can't have 100 percent security and also then have 100 percent privacy and zero inconvenience," said Obama, before adding "We're going to have to make some choices as a society."

This is quite an intriguing statement, to say the least. Obama seems to suggest that our society has yet to choose between security and privacy. Until now, it was assumed that our democratic societies had already made their choice. We thought that we had reach a balance – certainly imperfect – according to which the State had investigative and intelligence capabilities in exchange of a limitation of these capacities within legally fixed boundaries.

Of the nine companies involved in PRISM, none guarantees 100% safety and none wants 100% privacy for its customers. As for the inconvenience, companies like Microsoft and Facebook have voluntarily implemented automatic detection, deletion and report of child abuse material found on their platform to the National Center for Missing and Exploited Children, a proactive measure which apply to their customers worldwide. This program, called PhotoDNA is public and did not raise any controversy to date. So implying that ISPs would not tolerate any inconvenience is also incorrect.

This said, Obama is right on the need to constantly readjust the balance between security and privacy. If we look at the issue of child abuse material, and how mobile phones facilitate the recording of videos of scenes of abuse, it is a fact that the ability to distribute material exceeds the capacity of law enforcement to track and stop the offenders. Without more advanced analysis tools and automated processes such as PhotoDNA, we will not be able to at least limit the dissemination of such contents. These tools and processes will in turn become even worse than the disease it cures if States are unable to operate under the rule of law.

For the time being, PRISM seems to prove that a country like the United States do not have yet the surveillance tools they need, and the persistent confusion shows that reaching the balance between privacy and security is a very long journey.

What attitude should adopt European countries in face of massive surveillance programs?

The instinctive reaction of European authorities will be to raise concerns, ask for clarifications, and it has already started. Given the total lack of trust among governments and between citizens, industry and governments, whatever will be responded will not reassure anyone.

So the path towards trust will not be to understand what has been done, but rebuild trust from zero. The boldest and most useful reaction would be that countries which embrace the Cybercrime Convention engage in a healthy competition on providing more transparency on their own practices and processes. The countries which would provide the best balance between security and privacy would not only gain the confidence of their own citizens, they would give a clear competitive advantage to their own cloud providers.

Guess what happens when an industry takes advantage of a trusted national legal framework? It create jobs, charge VAT to their customers and pay taxes… all things badly need in Europe these days.

The Cybercrime Convention is much more than a set of legal rules, it is about rule of law, trust, balance between security and privacy, and a well-defined cooperation between industry and authorities, i.e. exactly what is missing in the PRISM scandal. The Council of Europe should not be shy to remind how useful it can be to the community of States which signed the Convention, including of course the USA. The next Octopus conference on 4th to 6th December looks very promising!

The real challenge here is finding traitors within government organizations - something that has long been known as the insider threat. Perhaps this falls within the rubric of cyber security.

Communications surveillance has existed for at least the past two millennia, and explicit provisions allowing for it in telecommunication networks by Nation States were instituted in international treaty instruments since 1850. Essentially every nation maintains the capabilities both directly using their own facilities and via service providers.

The Octopus Conference needs to focus on the cybercrime and instituting the means for meeting the provisions of the Convention, and not on what Nation States have done for millennia to protect themselves and their infrastructure.